A Preliminary Study on the Profile permission Control System of Solaris
Source: Internet
Author: User
Article Title: A Preliminary Study on the Profile permission Control System of Solaris. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Commands such as pfexec of Solaris are strange. I didn't understand how to use them. I checked that it was a new permission management system that could control user permissions in a more fine-grained manner.
One of the main reasons for its development is the use of this system, you can cancel the OS's built-in command to set the suid bit.
For example, if you want the test user to execute/usr/bin/sh and the permission is uid = 0 euid = 0, you can use the following control policy:
Add the following in/etc/user_attr:
Test: type = normal; auths = solaris. *, solaris. grant; profiles = ATestProfile
Add the following in/etc/security/exec_attr:
ATestProfile: suser: cmd:/usr/bin/sh: uid = 0; euid = 0
The two modifications mean that the Profile of user test is ATestProfile, and the user whose Profile is ATestProfile executes the/usr/bin/sh command using suid (suser is the meaning ), and uid = 0 euid = 0.
Here, commands such as/usr/bin/sh can use wildcards, such *
In this way, we can use the following:
Bash-2.03 $ id
Uid = 1022 (test) gid = 1 (other)
Bash-2.03 $ pfexec/usr/bin/sh
# Id
Uid = 0 (root) gid = 1 (other)
#
This controls the permissions of the test user when executing the/usr/bin/sh program.
If the Profile is Audit Control, users can use uid = 0 to execute commands such as/etc/security/bsmconv. However, these commands are shell programs that use a large number of commands in relative paths:
....
PROG = bsmconv
STARTUP =/etc/security/audit_startup
DEVALLOC =/etc/security/device_allocate
DEVMAPS =/etc/security/device_maps
TEXTDOMAIN = "SUNW_OST_OSCMD"
Export TEXTDOMAIN
Permission ()
{
WHO = 'id | cut-f1-d "" '# <----------- here
If [! "$ WHO" = "uid = 0 (root)"]
Then
Form = 'gettext "% s: ERROR: you must be super-user to run this script ."'
Printf "$ {form} \ n" $ PROG
Exit 1
Fi
.........
If the Profile of a registered user is Audit Control, the user can obtain the root permission through this security vulnerability.
Fortunately, the system has only one row in user_attr by default,
Root: type = normal; auths = solaris. *, solaris. grant; profiles = All
As a system administrator, the Profile system provides a lot of convenience for the granularity of Management permissions.
All of the above are tested on Solaris 8.
Solaris9 still uses this system.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.